Nintendo Switch Hack: Proof of Concept of the Nintendo Switch Webkit exploit published

Developer LiveOverflow has published a Proof of Concept file to confirm the iOS 9.3 webkit exploit is working on the Nintendo Switch. The exploit had been announced earlier by qwertyoruiop, the hacker behind the iOS 9.3 Jailbreak which used the same vulnerability as its starting point (CVE-2016-4657).

Nintendo Switch webkit exploit confirmed with PoC

Along with the Proof of Concept, LiveOverflow has published a detailed explanation on how the exploit works (video below), as well as a summary on how to launch the Nintendo Switch browser (a feature that most Switch owners still ignore exists – check out DNSwitch for details)

With LiveOverflow’s work, Nintendo Switch owners can now confirm that their console is vulnerable to the webkit exploit. This is the first exploit released for the console, only a few days after the Switch was released to the public. It is still unclear why the Switch shipped with known exploits unpatched in its browser.

Nintendo Switch hack – What next?

What’s been released is just a proof of concept: it confirms that the browser is vulnerable to the attack. To the end user, this brings pretty much nothing at this point. For hackers, however, this is an entry point to start analyzing the internals of the Nintendo Switch OS: it is now possible to start looking at the RAM and understand a bit more about the device’s firmware. Typically this kind of exploit then leads to the possibility to dump a few libraries, which is then followed by a hunt for a privilege escalation vulnerability (basically, a kernel exploit), which would give full access to the device.

Nintendo switch Webkit exploit – Download and test

You can test the exploit on your Nintendo Switch by getting the files from LiveOverflow’s github, and host it locally on your server. Using DNSwitch or a proxy (following LiveOverflow’s video below), you should be able to point the Switch’s browser to the file in order to test.

If you run into issues confirming the exploit, this thread on GBATemp has some troubleshooting steps, in particular:

If I set up my server with his exact files freshly unzipped from his github master (not just poc1.html but also his index.html which redirects to it), then I am able to get to the end of the PoC reliably.

127 Responses

IF the IOS jailbreak can work, this should be a unix based kernel, but thats a huuuge if. But if it is, we could run full blown linux or probably the shield tv os. But this is more speculation than fact.

[…] rendering engine used by a hidden, integrated browser. A second individual, LiveOverflow, quickly published a proof of concept confirming the discovery, while a third research group, ReSwitched, offered their own […]

Archives

Disclaimer: Wololo.net is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com